What is the best security awareness payload for the Rubber Ducky?

A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.

Cyber security awareness building is important, and developing an effective security awareness program - or at least raising eyebrows that one is even necessary - doesn't need to be difficult.

WE COULD ALL USE SOME CYBER SECURITY AWARENESS

Hot off the heels of the bank heist security awareness campaign in Beirut with Jayson Street (See Breakthrough - Cyber Terror on National Geography), @Snubs and I set off to perform our own security awareness research. We were given the unique opportunity to present the keynote at AusCERT 2017 in the Gold Coast of Australia. Our talk was all about trust, convenience, and how USB and better yet Humans are the universal attack vector. CSO has a great write-up.

Essentially we wanted to see if the cyber security community practiced what it preached. Specifically following best practices with regards to foreign USB drives. What we found was astounding. Judging from our own informal poll, it seems many of us in the information security world don't even bother with basic anti-virus, so how would we fare as an industry against foreign USB drives?

THE BEST PAYLOAD THAT DOESN'T GATHER SENSITIVE DATA

 

Now I've spoken before about a 2-second USB Rubber Ducky payload which will grab Windows password hashes via SMB. It's a great payload for internal audits - so red teams take note. But for this engagement the last thing we wanted was any sensitive data.

Unlike Google, who conducted a similar USB drop at a university with the intent of obtaining reverse shells on the target machines, we opted for something completely benign. Our payload only launches a tiny URL, which takes the target to US-CERT Bulletin ST08-001: Using Caution with USB Drives. The US-CERT bulletin, from the National Cyber Awareness System, states:

Do not plug an unknown USB drive into your computer - If you find a USB drive, give it to the appropriate authorities (a location's security personnel, your organization's IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.

ABOUT HALF OF USB DROP DRIVES GET PLUGGED IN

Of the 100 USB Rubber Ducky drives we dropped, we noticed 162 executions from 62 unique IP addresses throughout a 65 day period. Mind you, this was at a conference primarily made up of professionals working in the cyber security industry. Now since we did not uniquely identify each drives payload, we cannot determine the actual percentage plugged in. However, based on the unique factors we can track, the results do seem inline with Google's findings - that 48% of people do plug-in USB drives found in parking lots.

The other data of interest indicated that targets were 68% Windows and 32% Mac. Browsers were 69% Chrome, 24% Safari and shockingly 7% Internet Explorer. The vast majority of executions were within the first week of the conference, however the long tail lasted until mid-April.

HOW DO I PERFORM THIS AUDIT AGAINST MY OWN ORGANIZATION

Setting this up for your own security awareness campaign is dead simple. All you need is this payload, a few USB Rubber Duckies, a URL to point the payloads and a few creative spots to leave the drives.

For the URL you could setup a website to let the user know they've broken corporate policy and to contact IT - or you could do what we did and send 'em to US-CERT. Either way you'll be able to track the executions. This can be done either with your own web server (preferably running PHP), or you can just use Google's goo.gl URL shortener to get the analytics.

Here's the PHP script which will log IP and browser data along with forwarding on the target to your URL of choice. Uncomment the mail command and change the SMS gateway if you want your phone to ding every time someone plugs one in :)

<?php
$today = date("F j, Y, g:i a");
$data = json_encode(array("headers" =&amp;amp;gt; getallheaders(), "server" =&amp;amp;gt; $_SERVER, "request" =&amp;amp;gt; $_REQUEST));
file_put_contents("summary.txt", $today . "\t" . $_SERVER['REMOTE_ADDR'] . "\t" . $_SERVER['HTTP_USER_AGENT'] . "\n", FILE_APPEND);
file_put_contents("full-data.txt", $data . "\n", FILE_APPEND);
$message = $today . " - " . $_SERVER['REMOTE_ADDR'];
mail('5105551212@tmomail.net', 'subject', $message);
?>
<html><head><meta charset="UTF-8" />
<meta http-equiv="refresh" content="1;url=https://www.us-cert.gov/ncas/tips/ST08-001" />
<script type="text/javascript">window.location.href = "https://www.us-cert.gov/ncas/tips/ST08-001"</script>
<title>Page Redirection</title></head>
<body>If you are not redirected automatically, follow the <a href="https://www.us-cert.gov/ncas/tips/ST08-001">link</a>.</body></html>

You'll need to touch full-data.txt and summary.txt and chmod them accordingly.

This cross-platform USB Rubber Ducky payload works against Windows, Mac and some Linux window managers which support URLs from the ALT+F2 menu (like Ubuntu's Unity).

DELAY 1000
ALT F2
DELAY 50
GUI SPACE
DELAY 50
GUI r
DELAY 50
BACKSPACE
DELAY 100
STRING http://example.com
ENTER

Replace example.com with the URL of your choosing.

Finally, load up the ducks, find some enticing places to plant 'em, and watch the logs as humans do what humans do best.

WHY DOES THIS WORK

As users and as a society, we expect technology to "just work".

As developers and systems administrators, in order to make things "just work", we typically need to put in hard coded trusts.

As hackers and penetration testers, wherever we find these hard coded trusts, it's simply a matter of telling the right lie. Something we learned to do from childhood.

Hacking is all about trust. As in life - trust is hard to build & easy to break. Hacking is violating the inherent trust in complex systems.

Happy Hacking!



Also in USB Rubber Ducky

Detect Ready - Smarter Initial Delays for Keystroke Injection Attacks with the USB Rubber Ducky
Detect Ready - Smarter Initial Delays for Keystroke Injection Attacks with the USB Rubber Ducky

Since the beginning of Keystroke Injection attacks using DuckyScript 1.0, conventional wisdom has been to begin payloads with a 3000 millisecond delay (DELAY 3000). Using DuckyScript 3.0 extensions, this may be reduced to as little as 25 milliseconds!
Keystroke Reflection - Side-Channel Exfiltration for the USB Rubber Ducky
Keystroke Reflection - Side-Channel Exfiltration for the USB Rubber Ducky

Keystroke reflection exploits the defacto standard keyboard-computer architecture implemented by all IBM-PC compatibles since 1984 and adopted in usb-hid to provide a side-channel exfiltration pathway that impacts nearly all personal computers from the last 4 decades.
The 3 Second Reverse Shell with a USB Rubber Ducky
The 3 Second Reverse Shell with a USB Rubber Ducky

A reverse shell is a type of shell where the victim computer calls back to an attacker’s computer. The attacking computer typically listens on a specific port. When it receives the connection it is then able to execute commands on the victim computer. In essence it’s remote control of a computer.